| Vulnerability Name: | CVE-2020-15216 (CCN-189497) | ||||||||||||
| Assigned: | 2020-09-29 | ||||||||||||
| Published: | 2020-09-29 | ||||||||||||
| Updated: | 2021-05-05 | ||||||||||||
| Summary: | In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0 | ||||||||||||
| CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-347 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2020-15216 Source: XF Type: UNKNOWN goxmldsig-cve202015216-sec-bypass(189497) Source: MISC Type: Patch, Third Party Advisory https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 Source: CCN Type: goxmldsig GIT Repository Signature Validation Bypass Source: CONFIRM Type: Third Party Advisory https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 Source: FEDORA Type: Third Party Advisory FEDORA-2021-9316ee2948 Source: FEDORA Type: Third Party Advisory FEDORA-2021-a2a7673da2 Source: MISC Type: Third Party Advisory https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview Source: CCN Type: WhiteSource Vulnerability Database CVE-2020-15216 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||